Security Experts:

Connect with us

Hi, what are you looking for?



Critical Flaw Allows Hackers to Take Control of PowerFlex AC Drives

Rockwell Automation’s Allen Bradley PowerFlex 525 AC drives are affected by a critical denial-of-service (DoS) vulnerability that allows hackers to take control of devices.

Rockwell Automation’s Allen Bradley PowerFlex 525 AC drives are affected by a critical denial-of-service (DoS) vulnerability that allows hackers to take control of devices.

PowerFlex 525 AC drives are designed for controlling electrical motors. Unlike traditional drives, these devices offer advanced features, such as embedded Ethernet/IP communications and USB programming. Rockwell Automation says the product is ideal for conveyors, pumps, fans and mixers.

Nicolas Merle, a researcher at industrial cybersecurity firm Applied Risk, discovered that the PowerFlex 525 drive is affected by a serious DoS flaw that can be exploited to disrupt the configuration and control software associated with the device by sending it specially crafted UDP packets that cause the Common Industrial Protocol (CIP) network stack to crash.

Allen Bradley PowerFlex 525 AC driveExploitation causes the software to disconnect from the device and block legitimate users out, but an attacker can continue sending commands to the system. A hacker could, among other things, change the speed of the drive or send it start/stop commands, Merle told SecurityWeek.

The only way for victims to regain access to the device is to perform a power reset.

“The bug corrupts the CIP daemon in a way that some values returned by the devices are corrupted. It also prevents any new connection to be established with the device,” Merle explained. “One of the issues is that the control software used to interact with this device monitors all necessary values at all times and once the bug is exploited, the software receives an unexpected value and will try to restart the connection – effectively locking itself out.”

Learn More About ICS Flaws at SecurityWeek’s 2019 ICS Cyber Security Conference

“An attacker, on the other hand, can write a simple script to initiate the connection and not close it. The commands can still be sent to the device in this state and the device will still execute them. In this way, as long as the attacker does not stop the connection, they can continue to send commands and request information. As soon as the connection is terminated, a cold reboot is required for the device to accept new connections,” the researcher added.

Applied Risk says it has uncovered the flaw in version 5.001 of the software, but believes older versions are likely affected as well. The firm says Rockwell Automation has developed a patch, but the vendor has yet to publish a security advisory.

Related: No Patches for Critical Flaws in Fuji Electric Servo System, Drives

Related: Rockwell Automation to Patch Publicly Disclosed Power Monitor Flaws

Related: Rockwell Automation Patches Critical DoS/RCE Flaw in RSLinx Software

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...